[CVE-2017-7737] Password disclosure in FortiWeb appliance
The FortiWeb appliance discloses the SNMP version 3 user's password. The web page displayed by the appliance contains the password in clear text.Product Description
FortiWeb is a Web Application Firewall (WAF) produced by the Fortinet company. It enables users to set security filters between unsecured networks and Web applications.
Official website: https://www.fortinet.com/products/application-security/fortiweb.html
Details
Access Vector: remote
Security Risk: low
Vulnerability: CWE-200
CVSS Base Score: 4.9
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
Vulnerability description
The FortiWeb appliance discloses the SNMP version 3 user’s password. The web page displayed by the appliance contains the password in clear text.
Thus, an administrator with at least a read-only access would be able to retrieve it.
Exploitation
To obtain this password, just navigate in the administration panel : system -> config -> SNMP -> edit SNMPv3 user.
Reading the html source code of the page reveals the password of the SNMP user.
Affected version
- FortiWeb 5.8.2 and below until 5.4.1
Solution
Upgrade to FortiWeb version 5.8.3
References
Timeline (dd/mm/yyyy)
- 03/05/2017 : Initial discovery
- 05/06/2017 : First contact with customer support
- 23/06/2017 : Reply from PSIRT team
- 27/06/2017 : Providing all details to the PSIRT team
- 28/06/2017 : Acknowledgment by Fortinet PSIRT team, registering of CVE-2017-7737 and fix scheduling for version 5.8.3
- 12/08/2017 : Publication of the Fortinet PSIRT advisory
- 20/11/2017 : Sysdream publication
(Congratulations to the Fortinet team for the very professional and quick handling of this issue)
Credits
- Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com)